Security in the Software Development Lifecycle: “Build Security In”
Security should be considered at all phases of the software development lifecycle.
The traditional Software Development Lifecycle (SDLC) is a structured methodology for developing software. These phases of development include:
- Analysis or requirements gathering — clearly defining the problem or project
- Design or planning– creating an algorithmic solution for the problem
- Implementation– coding the solution using a programming language, and running for correctness
- Testing– formally testing and debugging
- Maintenance– maintaining, changing, and documenting the program
Since security has become a more prevalent concern, it is important to consider security at all stages of a software project. Building secure software is more effective than adding security features after the project is complete.
Risk — What’s the Risk?:
Poor design and insufficient testing lead to insecure software. Most security issues result from attacks exploiting insecure software.
- In 2002, in response to the proliferation of security issues, including terrorist attacks and malicious software, Bill Gates wrote a famous “security evangelist” memo (found here), committing his company to building secure software.
- Thousands of vulnerabilities are reported each year (see here). At the same time, the number and severity of the attacks continue to increase.
Develop Programs Responsibly
- Analyze Responsibly: You must understand the given problem and consider the security risks to develop a solution.
- Design Responsibly: Create an algorithm to solve the problem you understood in the above step.
- Implement Responsibly:
- If possible, select a programming language (C, C++, Java, Python, etc.) you would like to code in. There are different security considerations in each language.
- Select an appropriate IDE (Integrated Development Environment) tool kit for the programming language you selected (eg. Visual Studio, Net Beans, Eclipse, Dr Java, etc.). Many IDE’s provide functionality to check for insecure code.
- Code and compile your program, correcting syntax errors and warnings issued by the compiler.
- Test Responsibly: Run your program and examine the output carefully. Test the program for both reasonable and unreasonable values.
- Maintain Responsibly: Maintain your code to accommodate updates. The code must be documented, well-formatted, and readable.
- Create a project.
- Edit: Type in the following program exactly as written. Include your name and date.
- Compile and run: Examine the output carefully.
- If you carefully completed the background section, you will see that 6 is incorrect. Security features should not be added after the program is complete, but should be included at all levels of the SDLC. Revise the program (remove step 6 and add “with security in mind” at each step), so that it produces the correct output.
Introduction to Checklists
Checklists are used by airline pilots, in emergency rooms in hospitals, and increasingly in the software industry, to enforce safety procedures. We will use checklists throughout these modules, primarily to check the security of our code. Use the following checklist to ensure you have completed this lab correctly.
|Intro to the SDLC: CS0|
|Look at your output from Program 1:||Completed|
|1. Is security considered in the analysis phase, when you are defining the problem?|
|2. Is security considered in the design phase?|
|3. Is security considered in the implementation phase?|
|4. Is security considered in the testing phase?|
|5. Is security considered in the maintenance phase?|
|6. Is security considered in all parts of the SDLC?|
|If you answered yes to all of the above questions, you are describing the Secure Development Lifecycle (SDLC)|
- Where do you think security should fit into the SDLC?
- Why is security more of a concern than it was 10 years ago?
- If a program has no syntax errors, can we assume that it is secure?
- Compare software security and security software.